The spambot has collected millions of email credentials and server login information in order to send spam through “legitimate” servers, defeating many spam filters.
By Zack Whittaker for Zero Day
A huge spambot ensnaring 711 million email accounts has been uncovered.
A Paris-based security researcher, who goes by the pseudonymous handle Benkow, discovered an open and accessible web server hosted in the Netherlands, which stores dozens of text files containing a huge batch of email addresses, passwords, and email servers used to send spam.
Those credentials are crucial for the spammer’s large-scale malware operation to bypass spam filters by sending email through legitimate email servers.
The spambot, dubbed “Onliner,” is used to deliver the Ursnif banking malware into inboxes all over the world. To date, it’s resulted in more than 100,000 unique infections across the world, Benkow told ZDNet.
Troy Hunt, who runs breach notification site Have I Been Pwned, said it was a “mind-boggling amount of data.”
Hunt, who analyzed the data and details his findings in a blog post, called it the “largest” batch of data to enter the breach notification site in its history.
Benkow, who also wrote up his findings in a blog post, has spent months digging into the Ursnif malware, a data-stealing trojan used to grab personal information such as login details, passwords, and credit card data, researchers have said. Typically, a spammer would send a “dropper” file as a normal-looking email attachment. When the attachment is opened, the malware downloads from a server and infects the machine.
But while spamming is still an effective malware delivery method, email filters are getting smarter and many domains found to have sent spam have been blacklisted.
The spammer’s Onliner campaign, however, uses a sophisticated setup to bypass those spam filters.
“To send spam, the attacker needs a huge list of SMTP credentials,” said Benkow in his blog post. Those credentials authenticate the spammer in order to send what appears to be legitimate email.
“The more SMTP servers he can find, the more he can distribute the campaign,” he said.
Those credentials, he explained, have been scraped and collated from other data breaches, such as the LinkedIn hack and the Badoo hack, as well also other unknown sources. The list has about 80 million accounts, he said, with each line containing the email address and password, along with the SMTP server and the port used to send the email. The spammer tests each entry by connecting to the server to ensure that the credentials are valid and that spam can be sent. The accounts that don’t work are ignored.
These 80 million email servers are then used to send the remaining 630 million targets emails, designed to scope out the victim, or so-called “fingerprinting” emails.
These emails appear innocuous enough, but they contain a hidden pixel-sized image. When the email is open, the pixel image sends back the IP address and user-agent information, used to identify the type of computer, operating system, and other device information. That helps the attacker know who to target with the Ursnif malware, by specifically targeting Windows computers, rather than sending malicious files to iPhone or Android users, which aren’t affected by the malware.
Benkow said that narrowing down of would-be victims is key to ensuring the success of the malware campaign.
“There is a risk that the campaign can become too noisy, like Dridex, for example,” he told ZDNet. “If your campaign is too noisy, law enforcement will look for you.”
Benkow explained that the attacker can send out a million “fingerprinting” spam emails and get a fraction of emails back, but still have enough responses to send out a second batch of a few thousand targeted emails with malware.
“It’s pretty smart,” Benkow admitted.
According to Hunt, who processed the data, 27 percent of email addresses in the data are already in Have I Been Pwned. But he noted a caveat: Because the data has been scraped from the web, some of the data is malformed. He said that while the 711 million figure is “technically accurate,” the number of humans involved will be somewhat less.
Hunt has made the data now searchable in Have I Been Pwned.